set skip on lo0
# Block everything by default
block log all
# In
pass in quick on $EXT inet proto tcp from any to port {22, 80}
# Out
pass out quick on $EXT inet all
# pfctl -vvnf test.pf
EXT = "em0"
set skip on { lo0 }
@0 block drop log all
@1 pass in quick on em0 inet proto tcp from any to any port = ssh flags S/SA keep state
@2 pass in quick on em0 inet proto tcp from any to any port = www flags S/SA keep state
@3 pass out quick on em0 inet all flags S/SA keep state
# activate spoofing protection for all interfaces
block in quick from urpf-failed
pass in on $ext_if proto tcp from any to 202.4.2.1 port 80 flags S/SA synproxy state
# catches any attempts to connect to TCP port 80
pass in on egress inet proto tcp to (egress) port 80 \
rdr-to $comp3 synproxy state
pass in inet proto icmp all icmp-type $icmp_types
# traffic must be passed to and from the internal network
pass in on $int_if
# Block PING to a server
block return-icmp in quick on fxp0 proto icmp from any to 10.0.0.1
# block IPs with high connection rates
block quick from <bad_hosts>
pass in on $ext if proto tcp to $webserver port www flags S/SA keep state \
(max-src-conn-rate 100/10, overload <bad_hosts> flush global)

barti, one of the things this site attempts to promote is good practice done by sysadmins. Having no knowledge of what rules are being used is not a good practice.

One of things you may learn is that rulesets are specific to the network topology in which they are used. Even if someone wanted to do your work for you, without knowledge of the specifics of your network arrangement, they aren't going to get far.

Oh, how apt this is. I have posted this before, but barti has not seen it.

---

I quote from Peter Hansteen's Book of PF, No Starch Press, ISBN: 978-1-59327-274-6. As posted in Hansteen's Firewalling with OpenBSD's PF packet filter.

Code:

Just to hammer this in, please repeat after me
The Pledge of the Network Admin
This is my network.
It is mine
or technically my employer's,
it is my responsibility
and I care for it with all my heart
there are many other networks a lot like mine,
but none are just like it.
I solemnly swear
that I will not mindlessly paste from HOWTOs.